-
Notifications
You must be signed in to change notification settings - Fork 0
Acl Management
t41 proposes a simple ACL management system bases on roles, resources and granted or denied privileges on them, depending on the choice of a whitelist or blacklist definition.
ACL are enforced within action controllers.
ACL are defined directly or through configuration files. Below is a model of an XML-based configuration file (either acl.xml in application/configs directory or module.xml in modules configs directory.
<config>
<acl>
<roles>
...
</roles>
<resources>
...
</resources>
</acl>
</config>Roles are containers of granted or denied privileges. They are identified by a unique key.
<config>
<acl>
<roles>
<role id="editor">
<label>Content Editor</label>
</role>
</roles>
</roles>
</config>Roles hierarchy is implicit and privileges delegation can be defined.
<roles>
...
<role id="manager">
<label>Content Manager</label>
<delegates_to>
<editor/>
</delegates_to>
</role>
</roles>Roles that share a lot of privileges can be grouped and the group id then used to grant or deny privileges.
<roles>
...
<role id="staff" type="group">
<label>Content Staff</label>
<members>
<editor/>
<manager/>
</members>
</role>
</roles>What are the different types of resources ?
Access to a an action controller can be granted or denied. The resource is defined in the module:controller:action form like myModule:myController:myAction matching the /mymodule/mycontroller/myaction Uri.
Here's how to declare resources in module.xml :
<config>
<modules>
<module id="mymodule" vendor="myname">
...
<resources>
<base>module</base>
<resource id="controller/action">
<label>My Action Controller</label>
<acl>
<editor/>
</acl>
</resource>
</module>
</resources>
</modules>
</config>Access to a CRUD function on type of object can also be granted or denied. the resource would have the following structure class:crudAction : My\Namespace\MyClass:create.
Privileges can be restricted to a specific instance of the class if its Object URI representation is appended to the resource like My\Namespace\MyClass:update:@mysql0/table/1.
Its also possible to define less restrictive resources like: My\Namespace\MyClass:update:@mysql0 which sets the privilege of updating all My\Namespace\MyClass objects in the backend identified by the @mysql0 alias.
The keyword all can be used to define a global privilege like all:create (user is granted or denied create privilege for all classes) or all:update:@mysql0 (user is granted or denied update privilege on all object which backend is identified by the @mysql0 alias.
Privileges can be defined for any other method available in a given class.